GLV/GLS Decomposition, Power Analysis, and Attacks on ECDSA Signatures With Single-Bit Nonce Bias
|
|
- Jerome Anthony Waters
- 5 years ago
- Views:
Transcription
1 GLV/GLS Decomposition, Power Analysis, and Attacks on ECDSA Signatures With Single-Bit Nonce Bias Diego F. Aranha Pierre-Alain Fouque Benoît Gerard Jean-Gabriel Kammerer Mehdi Tibouchi Jean-Christophe Zapalowicz NTT Secure Platform Laboratories Asiacrypt, / NTT Secure Platform Laboratories
2 Overview Apology: although we have power analysis in the title and this is a side-channel session, SCA is not our main focus. Twofold motivation: Break the 2-bit bias barrier of HNP lattice attacks on (EC)DSA Consider how such attacks apply to elliptic curves with fast endomorphisms 2/ NTT Secure Platform Laboratories
3 Overview Apology: although we have power analysis in the title and this is a side-channel session, SCA is not our main focus. Twofold motivation: Break the 2-bit bias barrier of HNP lattice attacks on (EC)DSA Consider how such attacks apply to elliptic curves with fast endomorphisms 2/ NTT Secure Platform Laboratories
4 Outline Attack on ECDSA with 1-bit nonce bias HNP attacks on ECDSA Our attack on 1-bit bias GLV/GLS decomposition and HNP Curves with fast endomorphisms The recomposition approach The decomposition approach Conclusion 3/ NTT Secure Platform Laboratories
5 Outline Attack on ECDSA with 1-bit nonce bias HNP attacks on ECDSA Our attack on 1-bit bias GLV/GLS decomposition and HNP Curves with fast endomorphisms The recomposition approach The decomposition approach Conclusion 4/ NTT Secure Platform Laboratories
6 Outline Attack on ECDSA with 1-bit nonce bias HNP attacks on ECDSA Our attack on 1-bit bias GLV/GLS decomposition and HNP Curves with fast endomorphisms The recomposition approach The decomposition approach Conclusion 5/ NTT Secure Platform Laboratories
7 ECDSA Most commonly used elliptic curve-based signature scheme Slightly contrived variant of Schnorr signatures (all results in this talk also apply to actual Schnorr and similar schemes) Description Public params: elliptic curve E/Fq, point P generating a subgroup of large known prime order n Key pair: private key x random in Z/nZ, public key Q = [x]p Signature on m: pair (r, s) computed as k $ Ð (Z/nZ) (u, v) Ð [k]p r Ð u mod n s Ð k 1 (H(m) + rx) mod n Randomness k usually called the nonce; indeed, it must not be reused, otherwise: x = (sh 1 s 1 h)/(s 1 r sr 1 ) mod n but a bit of a misnomer, because non-repetition is not enough. 6/ NTT Secure Platform Laboratories
8 ECDSA Most commonly used elliptic curve-based signature scheme Slightly contrived variant of Schnorr signatures (all results in this talk also apply to actual Schnorr and similar schemes) Description Public params: elliptic curve E/Fq, point P generating a subgroup of large known prime order n Key pair: private key x random in Z/nZ, public key Q = [x]p Signature on m: pair (r, s) computed as k $ Ð (Z/nZ) (u, v) Ð [k]p r Ð u mod n s Ð k 1 (H(m) + rx) mod n Randomness k usually called the nonce; indeed, it must not be reused, otherwise: x = (sh 1 s 1 h)/(s 1 r sr 1 ) mod n but a bit of a misnomer, because non-repetition is not enough. 6/ NTT Secure Platform Laboratories
9 ECDSA Most commonly used elliptic curve-based signature scheme Slightly contrived variant of Schnorr signatures (all results in this talk also apply to actual Schnorr and similar schemes) Description Public params: elliptic curve E/Fq, point P generating a subgroup of large known prime order n Key pair: private key x random in Z/nZ, public key Q = [x]p Signature on m: pair (r, s) computed as k $ Ð (Z/nZ) (u, v) Ð [k]p r Ð u mod n s Ð k 1 (H(m) + rx) mod n Randomness k usually called the nonce; indeed, it must not be reused, otherwise: x = (sh 1 s 1 h)/(s 1 r sr 1 ) mod n but a bit of a misnomer, because non-repetition is not enough. 6/ NTT Secure Platform Laboratories
10 ECDSA Most commonly used elliptic curve-based signature scheme Slightly contrived variant of Schnorr signatures (all results in this talk also apply to actual Schnorr and similar schemes) Description Public params: elliptic curve E/Fq, point P generating a subgroup of large known prime order n Key pair: private key x random in Z/nZ, public key Q = [x]p Signature on m: pair (r, s) computed as k $ Ð (Z/nZ) (u, v) Ð [k]p r Ð u mod n s Ð k 1 (H(m) + rx) mod n Randomness k usually called the nonce; indeed, it must not be reused, otherwise: x = (sh 1 s 1 h)/(s 1 r sr 1 ) mod n but a bit of a misnomer, because non-repetition is not enough. 6/ NTT Secure Platform Laboratories
11 The risk of leaky nonces Rewrite the relation satisfied by ECDSA signatures as: k = H(m)s 1 looomooon h + rs 1 lomon x mod n We know pairs (h, c) such that h + cx = k mod n. If we know something about k (such as its MSBs), it should translate to information about the private key x! Essentially the hidden number problem. Main attack due to Howgrave-Graham & Smart using lattice reduction (reduces HNP to CVP in a suitable lattice) carried out for 2-bit leaks on 160-bit curves (Liu Nguyen 2013) currently out of reach for for 2-bit leaks on 256-bit curves currently out of reach for for 3-bit leaks on 384-bit curves hard limit: impossible for 1-bit leaks (the hidden vector in the lattice is not short enough to recover, even with a CVP oracle) c 7/ NTT Secure Platform Laboratories
12 The risk of leaky nonces Rewrite the relation satisfied by ECDSA signatures as: k = H(m)s 1 looomooon h + rs 1 lomon x mod n We know pairs (h, c) such that h + cx = k mod n. If we know something about k (such as its MSBs), it should translate to information about the private key x! Essentially the hidden number problem. Main attack due to Howgrave-Graham & Smart using lattice reduction (reduces HNP to CVP in a suitable lattice) carried out for 2-bit leaks on 160-bit curves (Liu Nguyen 2013) currently out of reach for for 2-bit leaks on 256-bit curves currently out of reach for for 3-bit leaks on 384-bit curves hard limit: impossible for 1-bit leaks (the hidden vector in the lattice is not short enough to recover, even with a CVP oracle) c 7/ NTT Secure Platform Laboratories
13 The risk of leaky nonces Rewrite the relation satisfied by ECDSA signatures as: k = H(m)s 1 looomooon h + rs 1 lomon x mod n We know pairs (h, c) such that h + cx = k mod n. If we know something about k (such as its MSBs), it should translate to information about the private key x! Essentially the hidden number problem. Main attack due to Howgrave-Graham & Smart using lattice reduction (reduces HNP to CVP in a suitable lattice) carried out for 2-bit leaks on 160-bit curves (Liu Nguyen 2013) currently out of reach for for 2-bit leaks on 256-bit curves currently out of reach for for 3-bit leaks on 384-bit curves hard limit: impossible for 1-bit leaks (the hidden vector in the lattice is not short enough to recover, even with a CVP oracle) c 7/ NTT Secure Platform Laboratories
14 Bleichenbacher s attack Before even the lattice attack was proposed, Bleichenbacher suggested a different approach to HNP (in the context of DSA), based on a Fourier notion of bias Requires many more signatures than the lattice attack for the same parameters, but applies in principle to arbitrarily small biases Presented at an IEEE P1363 meeting in 2000, but never formally published. Reintroduced in a paper by De Mulder et al. at CHES / NTT Secure Platform Laboratories
15 Bleichenbacher s attack Before even the lattice attack was proposed, Bleichenbacher suggested a different approach to HNP (in the context of DSA), based on a Fourier notion of bias Requires many more signatures than the lattice attack for the same parameters, but applies in principle to arbitrarily small biases Presented at an IEEE P1363 meeting in 2000, but never formally published. Reintroduced in a paper by De Mulder et al. at CHES / NTT Secure Platform Laboratories
16 Bleichenbacher s attack Before even the lattice attack was proposed, Bleichenbacher suggested a different approach to HNP (in the context of DSA), based on a Fourier notion of bias Requires many more signatures than the lattice attack for the same parameters, but applies in principle to arbitrarily small biases Presented at an IEEE P1363 meeting in 2000, but never formally published. Reintroduced in a paper by De Mulder et al. at CHES / NTT Secure Platform Laboratories
17 Overview of Bleicherbacher s technique The HNP problem reduces to the following: we are given samples (h j, c j ) such that, for the hidden secret x, the MSBs of the values k j = h j + c j x vanish. The sampled bias of a set of points V = (v 0,, v L 1 ) in Z/nZ defined as B n (V) = 1 L ř L 1 j=0 e2πi v j/n Given the (h j, c j ), consider the vector V = (v j ) given by v j = h j + c j w for some w P Z/nZ. One can check that: if w x, Bn (V) «1/? L is negligible if w = x, B n (V) is close to 1 hence a distinguisher, but not useable because n choices for w Bleichenbacher idea: broaden the peak in bias by reducing the c j s. 9/ NTT Secure Platform Laboratories
18 Overview of Bleicherbacher s technique The HNP problem reduces to the following: we are given samples (h j, c j ) such that, for the hidden secret x, the MSBs of the values k j = h j + c j x vanish. The sampled bias of a set of points V = (v 0,, v L 1 ) in Z/nZ defined as B n (V) = 1 L ř L 1 j=0 e2πi v j/n Given the (h j, c j ), consider the vector V = (v j ) given by v j = h j + c j w for some w P Z/nZ. One can check that: if w x, Bn (V) «1/? L is negligible if w = x, B n (V) is close to 1 hence a distinguisher, but not useable because n choices for w Bleichenbacher idea: broaden the peak in bias by reducing the c j s. 9/ NTT Secure Platform Laboratories
19 Overview of Bleicherbacher s technique The HNP problem reduces to the following: we are given samples (h j, c j ) such that, for the hidden secret x, the MSBs of the values k j = h j + c j x vanish. The sampled bias of a set of points V = (v 0,, v L 1 ) in Z/nZ defined as B n (V) = 1 L ř L 1 j=0 e2πi v j/n Given the (h j, c j ), consider the vector V = (v j ) given by v j = h j + c j w for some w P Z/nZ. One can check that: if w x, Bn (V) «1/? L is negligible if w = x, B n (V) is close to 1 hence a distinguisher, but not useable because n choices for w Bleichenbacher idea: broaden the peak in bias by reducing the c j s. B n (V) 9/ NTT Secure Platform Laboratories 1? L x w
20 Overview of Bleicherbacher s technique The HNP problem reduces to the following: we are given samples (h j, c j ) such that, for the hidden secret x, the MSBs of the values k j = h j + c j x vanish. The sampled bias of a set of points V = (v 0,, v L 1 ) in Z/nZ defined as B n (V) = 1 L ř L 1 j=0 e2πi v j/n Given the (h j, c j ), consider the vector V = (v j ) given by v j = h j + c j w for some w P Z/nZ. One can check that: if w x, Bn (V) «1/? L is negligible if w = x, B n (V) is close to 1 hence a distinguisher, but not useable because n choices for w Bleichenbacher idea: broaden the peak in bias by reducing the c j s. B n (V) 1? L B n (V) x 9/ NTT Secure Platform Laboratories 1? L x w w
21 Outline Attack on ECDSA with 1-bit nonce bias HNP attacks on ECDSA Our attack on 1-bit bias GLV/GLS decomposition and HNP Curves with fast endomorphisms The recomposition approach The decomposition approach Conclusion 10/ NTT Secure Platform Laboratories
22 Implementing Bleichenbacher s algorithm (I) Key step of Bleicheinbacher s algorithm: reducing the c j s by finding small linear combinations between them De Mulder et al. use lattice reduction How Bleichenbacher suggested doing it is not completely clear (iterative collision search on MSBs?) We take a straightforward sort-and-difference approach: sort the (cj, h j ) list according to c j substract each c j from the next largest one (repeat) Starting from a list of L = 2 l samples, we reduce the size of the c j s by roughly l bits per iteration (justified by order statistic arguments) 11/ NTT Secure Platform Laboratories
23 Implementing Bleichenbacher s algorithm (I) Key step of Bleicheinbacher s algorithm: reducing the c j s by finding small linear combinations between them De Mulder et al. use lattice reduction How Bleichenbacher suggested doing it is not completely clear (iterative collision search on MSBs?) We take a straightforward sort-and-difference approach: sort the (cj, h j ) list according to c j substract each c j from the next largest one (repeat) Starting from a list of L = 2 l samples, we reduce the size of the c j s by roughly l bits per iteration (justified by order statistic arguments) 11/ NTT Secure Platform Laboratories
24 Implementing Bleichenbacher s algorithm (I) Key step of Bleicheinbacher s algorithm: reducing the c j s by finding small linear combinations between them De Mulder et al. use lattice reduction How Bleichenbacher suggested doing it is not completely clear (iterative collision search on MSBs?) We take a straightforward sort-and-difference approach: sort the (cj, h j ) list according to c j substract each c j from the next largest one (repeat) Starting from a list of L = 2 l samples, we reduce the size of the c j s by roughly l bits per iteration (justified by order statistic arguments) 11/ NTT Secure Platform Laboratories
25 Implementing Bleichenbacher s algorithm (I) Key step of Bleicheinbacher s algorithm: reducing the c j s by finding small linear combinations between them De Mulder et al. use lattice reduction How Bleichenbacher suggested doing it is not completely clear (iterative collision search on MSBs?) We take a straightforward sort-and-difference approach: sort the (cj, h j ) list according to c j substract each c j from the next largest one (repeat) Starting from a list of L = 2 l samples, we reduce the size of the c j s by roughly l bits per iteration (justified by order statistic arguments) 11/ NTT Secure Platform Laboratories
26 Implementing Bleichenbacher s algorithm (I) Key step of Bleicheinbacher s algorithm: reducing the c j s by finding small linear combinations between them De Mulder et al. use lattice reduction How Bleichenbacher suggested doing it is not completely clear (iterative collision search on MSBs?) We take a straightforward sort-and-difference approach: sort the (cj, h j ) list according to c j substract each c j from the next largest one (repeat) Starting from a list of L = 2 l samples, we reduce the size of the c j s by roughly l bits per iteration (justified by order statistic arguments) 11/ NTT Secure Platform Laboratories
27 Implementing Bleichenbacher s algorithm (II) Rest of the algorithm (as in De Mulder et al.): Once the cj s are short enough, carry out an FFT computation to find the peak Rank the candidate peaks to reveal the MSBs of x, and iterate the attack to find the remaining bits Main difficulties: Every reduction step squares the bias The correct guess of x not always the highest ranked On 1-bit bias, non-trivial engineering project: very costly in data, memory and CPU 12/ NTT Secure Platform Laboratories
28 Implementing Bleichenbacher s algorithm (II) Rest of the algorithm (as in De Mulder et al.): Once the cj s are short enough, carry out an FFT computation to find the peak Rank the candidate peaks to reveal the MSBs of x, and iterate the attack to find the remaining bits Main difficulties: Every reduction step squares the bias The correct guess of x not always the highest ranked On 1-bit bias, non-trivial engineering project: very costly in data, memory and CPU 12/ NTT Secure Platform Laboratories
29 Implementation results b B n (K) α Fraction of c j s reduced by l β bits in a list of 2 l β = 2 β = 1 β = 0 β = 1 β = 2 1st iteration nd iteration rd iteration th iteration th iteration / NTT Secure Platform Laboratories
30 Implementation results b B n (K) α Fraction of c j s reduced by l β bits in a list of 2 l β = 2 β = 1 β = 0 β = 1 β = 2 1st iteration nd iteration rd iteration th iteration th iteration Successfully implemented: SECG P160 R1 curve (C++, RELIC, FFTW) 2 33 signatures 4 sort-and-difference (remove 4 ˆ 32 bits) 52.5% reduced signatures final bias FFT on 32 bits 30 MSB retrieved 1 terabyte 1150 CPU-hours 13/ NTT Secure Platform Laboratories
31 Outline Attack on ECDSA with 1-bit nonce bias HNP attacks on ECDSA Our attack on 1-bit bias GLV/GLS decomposition and HNP Curves with fast endomorphisms The recomposition approach The decomposition approach Conclusion 14/ NTT Secure Platform Laboratories
32 Outline Attack on ECDSA with 1-bit nonce bias HNP attacks on ECDSA Our attack on 1-bit bias GLV/GLS decomposition and HNP Curves with fast endomorphisms The recomposition approach The decomposition approach Conclusion 15/ NTT Secure Platform Laboratories
33 Curves with fast endomorphisms The most costly operation in conventional elliptic curve crypto is elliptic curve scalar multiplication; e.g. in ECDSA signature generation, the computation [k]p Special curves can be used to increase the efficiency of such schemes: curves endowed with some fast endomorphism ψ This technique is used in almost all recent record-breaking implementations of ECC Example special curves: (Koblitz curves over binary fields) Gallant Lambert Vanstone (GLV) curves over prime fields Galbraith Lin Scott (GLS) curves over quadratic extensions more recent work (Ben Smith s Q-curves ) 16/ NTT Secure Platform Laboratories
34 Curves with fast endomorphisms The most costly operation in conventional elliptic curve crypto is elliptic curve scalar multiplication; e.g. in ECDSA signature generation, the computation [k]p Special curves can be used to increase the efficiency of such schemes: curves endowed with some fast endomorphism ψ on a prime order subgroup, ψ is the multiplication by some explicit (usually full size) constant λ to carry out scalar multiplication by k, write k = k1 + k 2 λ (k 1, k 2 of half size); then [k]p = [k 1 ]P + [k 2 ]ψ(p) double exponentiation: «1.7-fold speed-up This technique is used in almost all recent record-breaking implementations of ECC Example special curves: (Koblitz curves over binary fields) Gallant Lambert Vanstone (GLV) curves over prime fields Galbraith Lin Scott (GLS) curves over quadratic extensions more recent work (Ben Smith s Q-curves ) 16/ NTT Secure Platform Laboratories
35 Curves with fast endomorphisms The most costly operation in conventional elliptic curve crypto is elliptic curve scalar multiplication; e.g. in ECDSA signature generation, the computation [k]p Special curves can be used to increase the efficiency of such schemes: curves endowed with some fast endomorphism ψ This technique is used in almost all recent record-breaking implementations of ECC Example special curves: (Koblitz curves over binary fields) Gallant Lambert Vanstone (GLV) curves over prime fields Galbraith Lin Scott (GLS) curves over quadratic extensions more recent work (Ben Smith s Q-curves ) 16/ NTT Secure Platform Laboratories
36 Curves with fast endomorphisms The most costly operation in conventional elliptic curve crypto is elliptic curve scalar multiplication; e.g. in ECDSA signature generation, the computation [k]p Special curves can be used to increase the efficiency of such schemes: curves endowed with some fast endomorphism ψ This technique is used in almost all recent record-breaking implementations of ECC Example special curves: (Koblitz curves over binary fields) Gallant Lambert Vanstone (GLV) curves over prime fields Galbraith Lin Scott (GLS) curves over quadratic extensions more recent work (Ben Smith s Q-curves ) 16/ NTT Secure Platform Laboratories
37 Decomposition vs. recomposition In many algorithms (including ECDSA), we want to compute a random scalar multiplication With endomorphisms, two natural approaches considered in the literature: Decomposition: pick k at random, and then use an algorithm (lattice reduction, continued fractions, etc.) to find k 1, k 2 of half size such that k = k 1 + k 2 λ mod n Recomposition: pick k 1 and k 2 at random, implicitly choosing k = k 1 + k 2 λ mod n We are interested in the implications of these two approaches on vulnerability to HNP-type attacks 17/ NTT Secure Platform Laboratories
38 Decomposition vs. recomposition In many algorithms (including ECDSA), we want to compute a random scalar multiplication With endomorphisms, two natural approaches considered in the literature: Decomposition: pick k at random, and then use an algorithm (lattice reduction, continued fractions, etc.) to find k 1, k 2 of half size such that k = k 1 + k 2 λ mod n Recomposition: pick k 1 and k 2 at random, implicitly choosing k = k 1 + k 2 λ mod n We are interested in the implications of these two approaches on vulnerability to HNP-type attacks 17/ NTT Secure Platform Laboratories
39 Decomposition vs. recomposition In many algorithms (including ECDSA), we want to compute a random scalar multiplication With endomorphisms, two natural approaches considered in the literature: Decomposition: pick k at random, and then use an algorithm (lattice reduction, continued fractions, etc.) to find k 1, k 2 of half size such that k = k 1 + k 2 λ mod n Recomposition: pick k 1 and k 2 at random, implicitly choosing k = k 1 + k 2 λ mod n We are interested in the implications of these two approaches on vulnerability to HNP-type attacks 17/ NTT Secure Platform Laboratories
40 Decomposition vs. recomposition In many algorithms (including ECDSA), we want to compute a random scalar multiplication With endomorphisms, two natural approaches considered in the literature: Decomposition: pick k at random, and then use an algorithm (lattice reduction, continued fractions, etc.) to find k 1, k 2 of half size such that k = k 1 + k 2 λ mod n Recomposition: pick k 1 and k 2 at random, implicitly choosing k = k 1 + k 2 λ mod n We are interested in the implications of these two approaches on vulnerability to HNP-type attacks 17/ NTT Secure Platform Laboratories
41 Decomposition vs. recomposition In many algorithms (including ECDSA), we want to compute a random scalar multiplication With endomorphisms, two natural approaches considered in the literature: Decomposition: pick k at random, and then use an algorithm (lattice reduction, continued fractions, etc.) to find k 1, k 2 of half size such that k = k 1 + k 2 λ mod n Recomposition: pick k 1 and k 2 at random, implicitly choosing k = k 1 + k 2 λ mod n We are interested in the implications of these two approaches on vulnerability to HNP-type attacks 17/ NTT Secure Platform Laboratories
42 Outline Attack on ECDSA with 1-bit nonce bias HNP attacks on ECDSA Our attack on 1-bit bias GLV/GLS decomposition and HNP Curves with fast endomorphisms The recomposition approach The decomposition approach Conclusion 18/ NTT Secure Platform Laboratories
43 Recomposition with GLS Recomposition certainly presents more interesting theoretical challenges We look at the specific case of curves generated with the quadratic GLS method: E 0 over a prime field F p ; order: p + 1 t, t ď 2? p E quadratic twist of E0 over F p 2 we assume further that E(F p 2) is of prime order n; then: n = (p 1) 2 + t 2 and λ =? 1 = t 1 (p 1) mod n In this setting, two possible ways of carrying out recomposition: Careful way: pick k1, k 2 uniformly at random in [0,? n). This is secure! Careless way: pick k1, k 2 uniformly at random in [0, 2 m ) with m = t 1 2 log 2 nu. Can be broken with Bleichebacher s attack! 19/ NTT Secure Platform Laboratories
44 Recomposition with GLS Recomposition certainly presents more interesting theoretical challenges We look at the specific case of curves generated with the quadratic GLS method: E 0 over a prime field F p ; order: p + 1 t, t ď 2? p E quadratic twist of E0 over F p 2 we assume further that E(F p 2) is of prime order n; then: n = (p 1) 2 + t 2 and λ =? 1 = t 1 (p 1) mod n In this setting, two possible ways of carrying out recomposition: Careful way: pick k1, k 2 uniformly at random in [0,? n). This is secure! Careless way: pick k1, k 2 uniformly at random in [0, 2 m ) with m = t 1 2 log 2 nu. Can be broken with Bleichebacher s attack! 19/ NTT Secure Platform Laboratories
45 Recomposition with GLS Recomposition certainly presents more interesting theoretical challenges We look at the specific case of curves generated with the quadratic GLS method: E 0 over a prime field F p ; order: p + 1 t, t ď 2? p E quadratic twist of E0 over F p 2 we assume further that E(F p 2) is of prime order n; then: n = (p 1) 2 + t 2 and λ =? 1 = t 1 (p 1) mod n In this setting, two possible ways of carrying out recomposition: Careful way: pick k1, k 2 uniformly at random in [0,? n). This is secure! Careless way: pick k1, k 2 uniformly at random in [0, 2 m ) with m = t 1 2 log 2 nu. Can be broken with Bleichebacher s attack! 19/ NTT Secure Platform Laboratories
46 Recomposition with GLS Recomposition certainly presents more interesting theoretical challenges We look at the specific case of curves generated with the quadratic GLS method: E 0 over a prime field F p ; order: p + 1 t, t ď 2? p E quadratic twist of E0 over F p 2 we assume further that E(F p 2) is of prime order n; then: n = (p 1) 2 + t 2 and λ =? 1 = t 1 (p 1) mod n In this setting, two possible ways of carrying out recomposition: Careful way: pick k1, k 2 uniformly at random in [0,? n). This is secure! Careless way: pick k1, k 2 uniformly at random in [0, 2 m ) with m = t 1 2 log 2 nu. Can be broken with Bleichebacher s attack! 19/ NTT Secure Platform Laboratories
47 Recomposition with GLS Recomposition certainly presents more interesting theoretical challenges We look at the specific case of curves generated with the quadratic GLS method: E 0 over a prime field F p ; order: p + 1 t, t ď 2? p E quadratic twist of E0 over F p 2 we assume further that E(F p 2) is of prime order n; then: n = (p 1) 2 + t 2 and λ =? 1 = t 1 (p 1) mod n In this setting, two possible ways of carrying out recomposition: Careful way: pick k1, k 2 uniformly at random in [0,? n). This is secure! Careless way: pick k1, k 2 uniformly at random in [0, 2 m ) with m = t 1 2 log 2 nu. Can be broken with Bleichebacher s attack! 19/ NTT Secure Platform Laboratories
48 Security of the careful way When k 1, k 2 are chosen uniformly at random in [0,? n), k = k 1 + k 2 λ is statistically close to uniform in Z/nZ, hence security! Proof idea: show that (k 1, k 2 ) ÞÑ k 1 + k 2 λ induces an injective map [0, p 1) 2 Ñ Z/nZ if (x, y) (x 1, y 1 ) have the same image, the fact that λ 2 = 1 mod n yields (x x 1 ) 2 + (y y 1 ) 2 = n but n, as a prime, has only one representation as a sum of two squares: n = (p 1) 2 + t 2 therefore, x x 1 or y y 1 must be p 1, which is impossible. Good for quadratic GLS. Unfortunately, the proof doesn t immediately generalize to other curves with endomorphisms (e.g. GLV with D = 3?) 20/ NTT Secure Platform Laboratories
49 Security of the careful way When k 1, k 2 are chosen uniformly at random in [0,? n), k = k 1 + k 2 λ is statistically close to uniform in Z/nZ, hence security! Proof idea: show that (k 1, k 2 ) ÞÑ k 1 + k 2 λ induces an injective map [0, p 1) 2 Ñ Z/nZ if (x, y) (x 1, y 1 ) have the same image, the fact that λ 2 = 1 mod n yields (x x 1 ) 2 + (y y 1 ) 2 = n but n, as a prime, has only one representation as a sum of two squares: n = (p 1) 2 + t 2 therefore, x x 1 or y y 1 must be p 1, which is impossible. Good for quadratic GLS. Unfortunately, the proof doesn t immediately generalize to other curves with endomorphisms (e.g. GLV with D = 3?) 20/ NTT Secure Platform Laboratories
50 Security of the careful way When k 1, k 2 are chosen uniformly at random in [0,? n), k = k 1 + k 2 λ is statistically close to uniform in Z/nZ, hence security! Proof idea: show that (k 1, k 2 ) ÞÑ k 1 + k 2 λ induces an injective map [0, p 1) 2 Ñ Z/nZ if (x, y) (x 1, y 1 ) have the same image, the fact that λ 2 = 1 mod n yields (x x 1 ) 2 + (y y 1 ) 2 = n but n, as a prime, has only one representation as a sum of two squares: n = (p 1) 2 + t 2 therefore, x x 1 or y y 1 must be p 1, which is impossible. Good for quadratic GLS. Unfortunately, the proof doesn t immediately generalize to other curves with endomorphisms (e.g. GLV with D = 3?) 20/ NTT Secure Platform Laboratories
51 Insecurity of the careless way Suppose now that k 1, k 2 are chosen uniformly in [0, T), with T = 2 t 1 2 log 2 nu. Bleichenbacher does not apply directly, because the bias on k = k 1 + k 2 λ is small: B n (K) = B n (K 1 ) B n (λk 2 ) = 1 ˇ ˇsin(πT/n) ˇ 1 ˇ ˇsin(πλT/n) ˇ looooooomooooooon T sin(π/n) loooooooomoooooooon T sin(πλ/n) «1 But the bias on t k mod n is significant: negligible B n (tk) = B n (tk 1 ) B n ( (p 1)K2 ) «ˇˇˇsin(π(p 1)T/n) π(p 1)T/n 0.5 ă (p 1)T/n ă 1 if (p 1)T/n «0.5 (i.e n «power of 2): maximal bias ñ B n (tk) = 2/π «0.637 ˇ 21/ NTT Secure Platform Laboratories
52 Insecurity of the careless way Suppose now that k 1, k 2 are chosen uniformly in [0, T), with T = 2 t 1 2 log 2 nu. Bleichenbacher does not apply directly, because the bias on k = k 1 + k 2 λ is small: B n (K) = B n (K 1 ) B n (λk 2 ) = 1 ˇ ˇsin(πT/n) ˇ 1 ˇ ˇsin(πλT/n) ˇ looooooomooooooon T sin(π/n) loooooooomoooooooon T sin(πλ/n) «1 But the bias on t k mod n is significant: negligible B n (tk) = B n (tk 1 ) B n ( (p 1)K2 ) «ˇˇˇsin(π(p 1)T/n) π(p 1)T/n 0.5 ă (p 1)T/n ă 1 if (p 1)T/n «0.5 (i.e n «power of 2): maximal bias ñ B n (tk) = 2/π «0.637 ˇ 21/ NTT Secure Platform Laboratories
53 Insecurity of the careless way Suppose now that k 1, k 2 are chosen uniformly in [0, T), with T = 2 t 1 2 log 2 nu. Bleichenbacher does not apply directly, because the bias on k = k 1 + k 2 λ is small: B n (K) = B n (K 1 ) B n (λk 2 ) = 1 ˇ ˇsin(πT/n) ˇ 1 ˇ ˇsin(πλT/n) ˇ looooooomooooooon T sin(π/n) loooooooomoooooooon T sin(πλ/n) «1 But the bias on t k mod n is significant: negligible B n (tk) = B n (tk 1 ) B n ( (p 1)K2 ) «ˇˇˇsin(π(p 1)T/n) π(p 1)T/n 0.5 ă (p 1)T/n ă 1 if (p 1)T/n «0.5 (i.e n «power of 2): maximal bias ñ B n (tk) = 2/π «0.637 ˇ 21/ NTT Secure Platform Laboratories
54 Insecurity of the careless way Suppose now that k 1, k 2 are chosen uniformly in [0, T), with T = 2 t 1 2 log 2 nu. Bleichenbacher does not apply directly, because the bias on k = k 1 + k 2 λ is small: B n (K) = B n (K 1 ) B n (λk 2 ) = 1 ˇ ˇsin(πT/n) ˇ 1 ˇ ˇsin(πλT/n) ˇ looooooomooooooon T sin(π/n) loooooooomoooooooon T sin(πλ/n) «1 But the bias on t k mod n is significant: negligible B n (tk) = B n (tk 1 ) B n ( (p 1)K2 ) «ˇˇˇsin(π(p 1)T/n) π(p 1)T/n 0.5 ă (p 1)T/n ă 1 if (p 1)T/n «0.5 (i.e n «power of 2): maximal bias ñ B n (tk) = 2/π «0.637 ˇ 21/ NTT Secure Platform Laboratories
55 Concrete attack on the careless way We successfully applied this variant of Bleichenbacher on a 160-bit GLS curve E 0 : y 2 = x 3 3x/ minimal choice over the OPF field F p, p = E : y 2 = x 3 3x + 104?23 3 over F p 2 = F p (? 23) Timings and resource consumption similar to the SECG curve case, except for signature generation itself. 22/ NTT Secure Platform Laboratories
56 Concrete attack on the careless way We successfully applied this variant of Bleichenbacher on a 160-bit GLS curve E 0 : y 2 = x 3 3x/ minimal choice over the OPF field F p, p = E : y 2 = x 3 3x + 104?23 3 over F p 2 = F p (? 23) Timings and resource consumption similar to the SECG curve case, except for signature generation itself. 22/ NTT Secure Platform Laboratories
57 Concrete attack on the careless way We successfully applied this variant of Bleichenbacher on a 160-bit GLS curve E 0 : y 2 = x 3 3x/ minimal choice over the OPF field F p, p = E : y 2 = x 3 3x + 104?23 3 over F p 2 = F p (? 23) Timings and resource consumption similar to the SECG curve case, except for signature generation itself. 22/ NTT Secure Platform Laboratories
58 Concrete attack on the careless way We successfully applied this variant of Bleichenbacher on a 160-bit GLS curve E 0 : y 2 = x 3 3x/ minimal choice over the OPF field F p, p = E : y 2 = x 3 3x + 104?23 3 over F p 2 = F p (? 23) Timings and resource consumption similar to the SECG curve case, except for signature generation itself. 22/ NTT Secure Platform Laboratories
59 Outline Attack on ECDSA with 1-bit nonce bias HNP attacks on ECDSA Our attack on 1-bit bias GLV/GLS decomposition and HNP Curves with fast endomorphisms The recomposition approach The decomposition approach Conclusion 23/ NTT Secure Platform Laboratories
60 Decompositon and side-channels Recall that the decomposition approach consists in choosing k randomly, and computing half-size k 1, k 2 coefficients such that k = k 1 + k 2 λ mod n afterwards If k is chosen uniformly at random in Z/nZ, no mathematical problem with the distribution But the physical implementation of the algorithm computing (k 1, k 2 ) from k may leak information! Concretely, we considered a specific algorithm due to Park et al. for decomposition, and showed that an unprotected implementation of it leaks the LSBs of k Template attack on an 8-bit AVR smartcard: possible to recover the least significant byte of k. Then breaking ECDSA is easy with lattices! 24/ NTT Secure Platform Laboratories
61 Decompositon and side-channels Recall that the decomposition approach consists in choosing k randomly, and computing half-size k 1, k 2 coefficients such that k = k 1 + k 2 λ mod n afterwards If k is chosen uniformly at random in Z/nZ, no mathematical problem with the distribution But the physical implementation of the algorithm computing (k 1, k 2 ) from k may leak information! Concretely, we considered a specific algorithm due to Park et al. for decomposition, and showed that an unprotected implementation of it leaks the LSBs of k Template attack on an 8-bit AVR smartcard: possible to recover the least significant byte of k. Then breaking ECDSA is easy with lattices! 24/ NTT Secure Platform Laboratories
62 Decompositon and side-channels Recall that the decomposition approach consists in choosing k randomly, and computing half-size k 1, k 2 coefficients such that k = k 1 + k 2 λ mod n afterwards If k is chosen uniformly at random in Z/nZ, no mathematical problem with the distribution But the physical implementation of the algorithm computing (k 1, k 2 ) from k may leak information! Concretely, we considered a specific algorithm due to Park et al. for decomposition, and showed that an unprotected implementation of it leaks the LSBs of k Template attack on an 8-bit AVR smartcard: possible to recover the least significant byte of k. Then breaking ECDSA is easy with lattices! 24/ NTT Secure Platform Laboratories
63 Decompositon and side-channels Recall that the decomposition approach consists in choosing k randomly, and computing half-size k 1, k 2 coefficients such that k = k 1 + k 2 λ mod n afterwards If k is chosen uniformly at random in Z/nZ, no mathematical problem with the distribution But the physical implementation of the algorithm computing (k 1, k 2 ) from k may leak information! Concretely, we considered a specific algorithm due to Park et al. for decomposition, and showed that an unprotected implementation of it leaks the LSBs of k Template attack on an 8-bit AVR smartcard: possible to recover the least significant byte of k. Then breaking ECDSA is easy with lattices! 24/ NTT Secure Platform Laboratories
64 Decompositon and side-channels Recall that the decomposition approach consists in choosing k randomly, and computing half-size k 1, k 2 coefficients such that k = k 1 + k 2 λ mod n afterwards If k is chosen uniformly at random in Z/nZ, no mathematical problem with the distribution But the physical implementation of the algorithm computing (k 1, k 2 ) from k may leak information! Concretely, we considered a specific algorithm due to Park et al. for decomposition, and showed that an unprotected implementation of it leaks the LSBs of k Template attack on an 8-bit AVR smartcard: possible to recover the least significant byte of k. Then breaking ECDSA is easy with lattices! 24/ NTT Secure Platform Laboratories
65 Outline Attack on ECDSA with 1-bit nonce bias HNP attacks on ECDSA Our attack on 1-bit bias GLV/GLS decomposition and HNP Curves with fast endomorphisms The recomposition approach The decomposition approach Conclusion 25/ NTT Secure Platform Laboratories
66 Conclusion Record of the smallest amount of nonce bias needed to break ECDSA 1-bit bias on 160-bit elliptic curves! impossible with lattices, but doable with Bleichenbacher significant computational effort, but a resourceful attacker could go much further (256-bit curves?) One should be careful about GLV/GLS decomposition GLV/GLS curves are not safe against nonce attacks When properly carried out, the recomposition technique can be secure When using decomposition, pay attention to side-channels 26/ NTT Secure Platform Laboratories
67 Conclusion Record of the smallest amount of nonce bias needed to break ECDSA 1-bit bias on 160-bit elliptic curves! impossible with lattices, but doable with Bleichenbacher significant computational effort, but a resourceful attacker could go much further (256-bit curves?) One should be careful about GLV/GLS decomposition GLV/GLS curves are not safe against nonce attacks When properly carried out, the recomposition technique can be secure When using decomposition, pay attention to side-channels 26/ NTT Secure Platform Laboratories
68 謝謝! Thank you for your attention 27/ NTT Secure Platform Laboratories
GLV/GLS Decomposition, Power Analysis, and Attacks on ECDSA Signatures with Single-Bit Nonce Bias
GLV/GLS Decomposition, Power Analysis, and Attacks on ECDSA Signatures with Single-Bit Nonce Bias Diego F. Aranha 1, Pierre-Alain Fouque 2,Benoît Gérard 3,4, Jean-Gabriel Kammerer 3,5, Mehdi Tibouchi 6,
More informationFast, twist-secure elliptic curve cryptography from Q-curves
Fast, twist-secure elliptic curve cryptography from Q-curves Benjamin Smith Team GRACE INRIA Saclay Île-de-France Laboratoire d Informatique de l École polytechnique (LIX) ECC #17, Leuven September 16,
More informationFour-Dimensional GLV Scalar Multiplication
Four-Dimensional GLV Scalar Multiplication ASIACRYPT 2012 Beijing, China Patrick Longa Microsoft Research Francesco Sica Nazarbayev University Elliptic Curve Scalar Multiplication A (Weierstrass) elliptic
More informationRecovering Private Keys Generated With Weak PRNGs
Recovering Private Keys Generated With Weak PRNGs Pierre-Alain Fouque (Univ. Rennes 1) Mehdi Tibouchi (NTT Secure Platform Lab.) Jean-Christophe Zapalowicz (Inria) Journées C2 2014 Jean-Christophe Zapalowicz
More informationHigh-Performance Scalar Multiplication using 8-Dimensional GLV/GLS Decomposition
High-Performance Scalar Multiplication using 8-Dimensional GLV/GLS Decomposition Joppe W. Bos, Craig Costello, Huseyin Hisil, Kristin Lauter CHES 2013 Motivation - I Group DH ECDH (F p1, ) (E F p2, +)
More informationHidden Number Problem Given Bound of Secret Jia-ning LIU and Ke-wei LV *
2017 2nd International Conference on Artificial Intelligence: Techniques and Applications (AITA 2017) ISBN: 978-1-60595-491-2 Hidden Number Problem Given Bound of Secret Jia-ning LIU and Ke-wei LV * DCS
More informationPractical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits
Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits Damien Vergnaud École normale supérieure CHES September, 15th 2015 (with Aurélie Bauer) Damien Vergnaud
More informationUsing Bleichenbacher s Solution to the Hidden Number Problem to Attack Nonce Leaks in 384-Bit ECDSA
Using Bleichenbacher s Solution to the Hidden Number Problem to Attack Nonce Leaks in 384-Bit ECDSA Elke De Mulder 1, Michael Hutter 1,2*, Mark E. Marson 1, and Peter Pearson 1 1 Cryptography Research,
More informationCrypto math II. Alin Tomescu May 27, Abstract A quick overview on group theory from Ron Rivest s course in Spring 2015.
Crypto math II Alin Tomescu alinush@mit.edu May 7, 015 Abstract A quick overview on group theory from Ron Rivest s 6.857 course in Spring 015. 1 Overview Group theory review Diffie-Hellman (DH) key exchange
More informationEfficient and Secure Algorithms for GLV-Based Scalar Multiplication and Their Implementation on GLV-GLS Curves
Efficient and Secure Algorithms for GLV-Based Scalar Multiplication and Their Implementation on GLV-GLS Curves SESSION ID: CRYP-T07 Patrick Longa Microsoft Research http://research.microsoft.com/en-us/people/plonga/
More informationSide-channel attacks on PKC and countermeasures with contributions from PhD students
basics Online Side-channel attacks on PKC and countermeasures (Tutorial @SPACE2016) with contributions from PhD students Lejla Batina Institute for Computing and Information Sciences Digital Security Radboud
More informationNon-generic attacks on elliptic curve DLPs
Non-generic attacks on elliptic curve DLPs Benjamin Smith Team GRACE INRIA Saclay Île-de-France Laboratoire d Informatique de l École polytechnique (LIX) ECC Summer School Leuven, September 13 2013 Smith
More informationSome Security Comparisons of GOST R and ECDSA Signature Schemes
Some Security Comparisons of GOST R 34.10-2012 and ECDSA Signature Schemes Trieu Quang Phong Nguyen Quoc Toan Institute of Cryptography Science and Technology Gover. Info. Security Committee, Viet Nam
More informationNew Variant of ElGamal Signature Scheme
Int. J. Contemp. Math. Sciences, Vol. 5, 2010, no. 34, 1653-1662 New Variant of ElGamal Signature Scheme Omar Khadir Department of Mathematics Faculty of Science and Technology University of Hassan II-Mohammedia,
More informationExplicit Complex Multiplication
Explicit Complex Multiplication Benjamin Smith INRIA Saclay Île-de-France & Laboratoire d Informatique de l École polytechnique (LIX) Eindhoven, September 2008 Smith (INRIA & LIX) Explicit CM Eindhoven,
More informationA Small Subgroup Attack on Arazi s Key Agreement Protocol
Small Subgroup ttack on razi s Key greement Protocol Dan Brown Certicom Research, Canada dbrown@certicom.com lfred Menezes Dept. of C&O, University of Waterloo, Canada ajmeneze@uwaterloo.ca bstract In
More informationFast point multiplication algorithms for binary elliptic curves with and without precomputation
Fast point multiplication algorithms for binary elliptic curves with and without precomputation Thomaz Oliveira 1 Diego F. Aranha 2 Julio López 2 Francisco Rodríguez-Henríquez 1 1 CINVESTAV-IPN, Mexico
More informationLecture 14 More on Digital Signatures and Variants. COSC-260 Codes and Ciphers Adam O Neill Adapted from
Lecture 14 More on Digital Signatures and Variants COSC-260 Codes and Ciphers Adam O Neill Adapted from http://cseweb.ucsd.edu/~mihir/cse107/ Setting the Stage We will cover in more depth some issues for
More informationAsymmetric Pairings. Alfred Menezes (joint work with S. Chatterjee, D. Hankerson & E. Knapp)
Asymmetric Pairings Alfred Menezes (joint work with S. Chatterjee, D. Hankerson & E. Knapp) 1 Overview In their 2006 paper "Pairings for cryptographers", Galbraith, Paterson and Smart identified three
More informationAn improved compression technique for signatures based on learning with errors
An improved compression technique for signatures based on learning with errors Shi Bai and Steven D. Galbraith Department of Mathematics, University of Auckland. CT-RSA 2014 1 / 22 Outline Introduction
More informationBatch Verification of ECDSA Signatures AfricaCrypt 2012 Ifrane, Morocco
Batch Verification of ECDSA Signatures AfricaCrypt 2012 Ifrane, Morocco Department of Computer Science and Engineering Indian Institute of Technology Kharagpur, West Bengal, India. Outline Introduction
More informationOn the Bit Security of Elliptic Curve Diffie Hellman
On the Bit Security of Elliptic Curve Diffie Hellman Barak Shani Department of Mathematics, University of Auckland, New Zealand Abstract This paper gives the first bit security result for the elliptic
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationElGamal type signature schemes for n-dimensional vector spaces
ElGamal type signature schemes for n-dimensional vector spaces Iwan M. Duursma and Seung Kook Park Abstract We generalize the ElGamal signature scheme for cyclic groups to a signature scheme for n-dimensional
More informationLattice-Based Fault Attacks on RSA Signatures
Lattice-Based Fault Attacks on RSA Signatures Mehdi Tibouchi École normale supérieure Workshop on Applied Cryptography, Singapore, 2010-12-03 Gist of this talk Review a classical attack on RSA signatures
More informationElliptic Curve Cryptography and Security of Embedded Devices
Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil Institut de Mathématiques de Bordeaux Inside Secure June 13th, 2012 V. Verneuil - Elliptic Curve Cryptography
More informationHorizontal and Vertical Side-Channel Attacks against Secure RSA Implementations
Introduction Clavier et al s Paper This Paper Horizontal and Vertical Side-Channel Attacks against Secure RSA Implementations Aurélie Bauer Éliane Jaulmes Emmanuel Prouff Justine Wild ANSSI Session ID:
More informationA DPA attack on RSA in CRT mode
A DPA attack on RSA in CRT mode Marc Witteman Riscure, The Netherlands 1 Introduction RSA is the dominant public key cryptographic algorithm, and used in an increasing number of smart card applications.
More informationSignatures and DLP-I. Tanja Lange Technische Universiteit Eindhoven
Signatures and DLP-I Tanja Lange Technische Universiteit Eindhoven How to compute ap Use binary representation of a to compute a(x; Y ) in blog 2 ac doublings and at most that many additions. E.g. a =
More informationKatherine Stange. Pairing, Tokyo, Japan, 2007
via via Department of Mathematics Brown University http://www.math.brown.edu/~stange/ Pairing, Tokyo, Japan, 2007 Outline via Definition of an elliptic net via Definition (KS) Let R be an integral domain,
More informationThe odd couple: MQV and HMQV
The odd couple: MQV and HMQV Jean-Philippe Aumasson 1 / 49 Summary MQV = EC-DH-based key agreement protocol, proposed by Menezes, Qu and Vanstone (1995), improved with Law and Solinas (1998), widely standardized
More informationCPSC 467b: Cryptography and Computer Security
Outline Authentication CPSC 467b: Cryptography and Computer Security Lecture 18 Michael J. Fischer Department of Computer Science Yale University March 29, 2010 Michael J. Fischer CPSC 467b, Lecture 18
More informationDigital Signatures. Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay
Digital Signatures Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical Engineering Indian Institute of Technology Bombay July 24, 2018 1 / 29 Group Theory Recap Groups Definition A set
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 14 October 16, 2013 CPSC 467, Lecture 14 1/45 Message Digest / Cryptographic Hash Functions Hash Function Constructions Extending
More informationOn the Big Gap Between p and q in DSA
On the Big Gap Between p and in DSA Zhengjun Cao Department of Mathematics, Shanghai University, Shanghai, China, 200444. caozhj@shu.edu.cn Abstract We introduce a message attack against DSA and show that
More informationSome Lattice Attacks on DSA and ECDSA
Some Lattice Attacks on DSA and ECDSA Dimitrios Poulakis Department of Mathematics, Aristotle University of Thessaloniki, Thessaloniki 54124, Greece, email:poulakis@math.auth.gr November 10, 2010 Abstract
More informationSelecting Elliptic Curves for Cryptography Real World Issues
Selecting Elliptic Curves for Cryptography Real World Issues Michael Naehrig Cryptography Research Group Microsoft Research UW Number Theory Seminar Seattle, 28 April 2015 Elliptic Curve Cryptography 1985:
More informationL7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015
L7. Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang, 5 March 2015 1 Outline The basic foundation: multiplicative group modulo prime The basic Diffie-Hellman (DH) protocol The discrete logarithm
More informationMasking the GLP Lattice-Based Signature Scheme at any Order
Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software Institute) Sonia Belaïd (CryptoExperts) Thomas Espitau (UPMC) Pierre-Alain Fouque (Univ. Rennes I and IUF) Benjamin
More informationCryptanalysis via Lattice Techniques
Cryptanalysis via Lattice Techniques Alexander May Horst Görtz Institute for IT-Security Faculty of Mathematics Ruhr-University Bochum crypt@b-it 2010, Aug 2010, Bonn Lecture 1, Mon Aug 2 Introduction
More informationOpen problems in lattice-based cryptography
University of Auckland, New Zealand Plan Goal: Highlight some hot topics in cryptography, and good targets for mathematical cryptanalysis. Approximate GCD Homomorphic encryption NTRU and Ring-LWE Multi-linear
More informationSide Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents
Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents Santanu Sarkar and Subhamoy Maitra Leuven, Belgium 12 September, 2012 Outline of the Talk RSA Cryptosystem
More informationIntroduction to Elliptic Curve Cryptography
Indian Statistical Institute Kolkata May 19, 2017 ElGamal Public Key Cryptosystem, 1984 Key Generation: 1 Choose a suitable large prime p 2 Choose a generator g of the cyclic group IZ p 3 Choose a cyclic
More informationSecurity Level of Cryptography Integer Factoring Problem (Factoring N = p 2 q) December Summary 2
Security Level of Cryptography Integer Factoring Problem (Factoring N = p 2 ) December 2001 Contents Summary 2 Detailed Evaluation 3 1 The Elliptic Curve Method 3 1.1 The ECM applied to N = p d............................
More informationQuantum Differential and Linear Cryptanalysis
Quantum Differential and Linear Cryptanalysis Marc Kaplan 1,2 Gaëtan Leurent 3 Anthony Leverrier 3 María Naya-Plasencia 3 1 LTCI, Télécom ParisTech 2 School of Informatics, University of Edinburgh 3 Inria
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 16 October 30, 2017 CPSC 467, Lecture 16 1/52 Properties of Hash Functions Hash functions do not always look random Relations among
More informationMathematical analysis of the computational complexity of integer sub-decomposition algorithm
Journal of Physics: Conference Series PAPER OPEN ACCESS Mathematical analysis of the computational complexity of integer sub-decomposition algorithm To cite this article: Ruma Kareem K Ajeena and Hailiza
More informationA point compression method for elliptic curves defined over GF (2 n )
A point compression method for elliptic curves defined over GF ( n ) Brian King Purdue School of Engineering Indiana Univ. Purdue Univ. at Indianapolis briking@iupui.edu Abstract. Here we describe new
More informationNotes for Lecture 15
COS 533: Advanced Cryptography Lecture 15 (November 8, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Kevin Liu Notes for Lecture 15 1 Lattices A lattice looks something like the following.
More informationCRYPTANALYSIS OF ELGAMAL TYPE DIGITAL SIGNATURE SCHEMES USING INTEGER DECOMPOSITION
Trends in Mathematics Information Center for Mathematical Sciences Volume 8, Number 1, June, 2005, Pages 167 175 CRYPTANALYSIS OF ELGAMAL TYPE DIGITAL SIGNATURE SCHEMES USING INTEGER DECOMPOSITION IKKWON
More informationConstructing Abelian Varieties for Pairing-Based Cryptography
for Pairing-Based CWI and Universiteit Leiden, Netherlands Workshop on Pairings in Arithmetic Geometry and 4 May 2009 s MNT MNT Type s What is pairing-based cryptography? Pairing-based cryptography refers
More informationHigh-Performance Scalar Multiplication using 8-Dimensional GLV/GLS Decomposition
High-Performance Scalar Multiplication using 8-Dimensional GLV/GLS Decomposition Joppe W. Bos 1, Craig Costello 1, Huseyin Hisil 2, and Kristin Lauter 1 1 Microsoft Research, Redmond, USA 2 Yasar University,
More informationDigital signature schemes
Digital signature schemes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Introduction digital signature scheme security of digital
More informationIntroduction to Elliptic Curve Cryptography. Anupam Datta
Introduction to Elliptic Curve Cryptography Anupam Datta 18-733 Elliptic Curve Cryptography Public Key Cryptosystem Duality between Elliptic Curve Cryptography and Discrete Log Based Cryptography Groups
More informationCryptography and Security Final Exam
Cryptography and Security Final Exam Serge Vaudenay 17.1.2017 duration: 3h no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices are not
More informationProvable Security Proofs and their Interpretation in the Real World
Provable Security Proofs and their Interpretation in the Real World Vikram Singh Abstract This paper analyses provable security proofs, using the EDL signature scheme as its case study, and interprets
More informationFurther Results on Implicit Factoring in Polynomial Time
Further Results on Implicit Factoring in Polynomial Time Santanu Sarkar and Subhamoy Maitra Indian Statistical Institute, 203 B T Road, Kolkata 700 108, India {santanu r, subho}@isical.ac.in Abstract.
More information14 Diffie-Hellman Key Agreement
14 Diffie-Hellman Key Agreement 14.1 Cyclic Groups Definition 14.1 Example Let д Z n. Define д n = {д i % n i Z}, the set of all powers of д reduced mod n. Then д is called a generator of д n, and д n
More informationBlinded Fault Resistant Exponentiation FDTC 06
Previous Work Our Algorithm Guillaume Fumaroli 1 David Vigilant 2 1 Thales Communications guillaume.fumaroli@fr.thalesgroup.com 2 Gemalto david.vigilant@gemalto.com FDTC 06 Outline Previous Work Our Algorithm
More informationAttacking DSA Under a Repeated Bits Assumption
Attacking DSA Under a Repeated Bits Assumption P.J. Leadbitter, D. Page, and N.P. Smart Dept. Computer Science, University of Bristol, Merchant Venturers Building, Woodland Road, Bristol, BS8 1UB, United
More informationFrom Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited
From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited Julien Cathalo 1, Jean-Sébastien Coron 2, and David Naccache 2,3 1 UCL Crypto Group Place du Levant 3, Louvain-la-Neuve, B-1348, Belgium
More informationNew Attacks on the Concatenation and XOR Hash Combiners
New Attacks on the Concatenation and XOR Hash Combiners Itai Dinur Department of Computer Science, Ben-Gurion University, Israel Abstract. We study the security of the concatenation combiner H 1(M) H 2(M)
More informationOn the Key-collisions in the Signature Schemes
On the Key-collisions in the Signature Schemes Tomáš Rosa ICZ a.s., Prague, CZ Dept. of Computer Science, FEE, CTU in Prague, CZ tomas.rosa@i.cz Motivation to study k-collisions Def. Non-repudiation [9,10].
More informationSingular curve point decompression attack
Singular curve point decompression attack Peter Günther joint work with Johannes Blömer University of Paderborn FDTC 2015, September 13th, Saint Malo Peter Günther (UPB) Decompression Attack FDTC 2015
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Instructor: Michael Fischer Lecture by Ewa Syta Lecture 13 March 3, 2013 CPSC 467b, Lecture 13 1/52 Elliptic Curves Basics Elliptic Curve Cryptography CPSC
More informationIMPROVING THE PARALLELIZED POLLARD LAMBDA SEARCH ON ANOMALOUS BINARY CURVES
MATHEMATICS OF COMPUTATION Volume 69, Number 232, Pages 1699 1705 S 0025-5718(99)01119-9 Article electronically published on May 19, 1999 IMPROVING THE PARALLELIZED POLLARD LAMBDA SEARCH ON ANOMALOUS BINARY
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 12 Markus Bläser, Saarland University Digital signature schemes Goal: integrity of messages Signer signs a message using a private key
More informationFour-Dimensional Gallant-Lambert-Vanstone Scalar Multiplication
Four-Dimensional Gallant-Lambert-Vanstone Scalar Multiplication Patrick Longa and Francesco Sica 2 Microsoft Research, USA plonga@microsoft.com 2 Nazarbayev University, Kazakhstan francesco.sica@nu.edu.kz
More informationBreaking Plain ElGamal and Plain RSA Encryption
Breaking Plain ElGamal and Plain RSA Encryption (Extended Abstract) Dan Boneh Antoine Joux Phong Nguyen dabo@cs.stanford.edu joux@ens.fr pnguyen@ens.fr Abstract We present a simple attack on both plain
More informationFaster Point Multiplication on Elliptic Curves with Efficient Endomorphisms
Faster Point Multiplication on Elliptic Curves with Efficient Endomorphisms Robert P. Gallant 1, Robert J. Lambert 1, and Scott A. Vanstone 1,2 1 Certicom Research, Canada {rgallant,rlambert,svanstone}@certicom.com
More informationone eciently recover the entire key? There is no known method for doing so. Furthermore, the common belief is that no such ecient algorithm exists. Th
Exposing an RSA Private Key Given a Small Fraction of its Bits Dan Boneh Glenn Durfee y Yair Frankel dabo@cs.stanford.edu gdurf@cs.stanford.edu yfrankel@cs.columbia.edu Stanford University Stanford University
More informationCryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)
Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R) Eli Biham Computer Science Department Technion Israel Institute of Technology Haifa 32000, Israel biham@cs.technion.ac.il http://www.cs.technion.ac.il/~biham/
More informationLecture 24: MAC for Arbitrary Length Messages. MAC Long Messages
Lecture 24: MAC for Arbitrary Length Messages Recall Previous lecture, we constructed MACs for fixed length messages The GGM Pseudo-random Function (PRF) Construction Given. Pseudo-random Generator (PRG)
More informationShort Exponent Diffie-Hellman Problems
Short Exponent Diffie-Hellman Problems Takeshi Koshiba 12 and Kaoru Kurosawa 3 1 Secure Computing Lab., Fujitsu Laboratories Ltd. 2 ERATO Quantum Computation and Information Project, Japan Science and
More informationA message recovery signature scheme equivalent to DSA over elliptic curves
A message recovery signature scheme equivalent to DSA over elliptic curves Atsuko Miyaji Multimedia Development Center Matsushita Electric Industrial Co., LTD. E-mail : miyaji@isl.mei.co.jp Abstract. The
More informationA Generic Algorithm for Small Weight Discrete Logarithms in Composite Groups
A Generic Algorithm for Small Weight Discrete Logarithms in Composite Groups Alexander May and Ilya Ozerov Horst Görtz Institute for IT-Security Ruhr-University Bochum, Germany Faculty of Mathematics alex.may@rub.de,
More informationQuantum Oracle Classification
Quantum Oracle Classification The Case of Group Structure Mark Zhandry Princeton University Query Complexity x O(x) O:Xà Y Info about O Examples: Pre- image of given output Collision Complete description
More informationA New Attack on RSA with Two or Three Decryption Exponents
A New Attack on RSA with Two or Three Decryption Exponents Abderrahmane Nitaj Laboratoire de Mathématiques Nicolas Oresme Université de Caen, France nitaj@math.unicaen.fr http://www.math.unicaen.fr/~nitaj
More informationLecture 11: Hash Functions, Merkle-Damgaard, Random Oracle
CS 7880 Graduate Cryptography October 20, 2015 Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle Lecturer: Daniel Wichs Scribe: Tanay Mehta 1 Topics Covered Review Collision-Resistant Hash Functions
More informationPublic key exchange using semidirect product of (semi)groups
Public key exchange using semidirect product of (semi)groups Maggie Habeeb 1, Delaram Kahrobaei 2, Charalambos Koupparis 3, and Vladimir Shpilrain 4 1 California University of Pennsylvania habeeb@calu.edu
More informationA Note on Scalar Multiplication Using Division Polynomials
1 A Note on Scalar Multiplication Using Division Polynomials Binglong Chen, Chuangqiang Hu and Chang-An Zhao Abstract Scalar multiplication is the most important and expensive operation in elliptic curve
More informationIntro to Public Key Cryptography Diffie & Hellman Key Exchange
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary - Math Part
More informationEfficient Application of Countermeasures for Elliptic Curve Cryptography
Efficient Application of Countermeasures for Elliptic Curve Cryptography Vladimir Soukharev, Ph.D. Basil Hess, Ph.D. InfoSec Global Inc. May 19, 2017 Outline Introduction Brief Summary of ECC Arithmetic
More informationCRYPTANALYSIS OF COMPACT-LWE
SESSION ID: CRYP-T10 CRYPTANALYSIS OF COMPACT-LWE Jonathan Bootle, Mehdi Tibouchi, Keita Xagawa Background Information Lattice-based cryptographic assumption Based on the learning-with-errors (LWE) assumption
More informationIntroduction to cryptology (GBIN8U16) More on discrete-logarithm based schemes
Introduction to cryptology (GBIN8U16) More on discrete-logarithm based schemes Pierre Karpman pierre.karpman@univ-grenoble-alpes.fr https://www-ljk.imag.fr/membres/pierre.karpman/tea.html 2018 03 13 More
More informationImproved High-Order Conversion From Boolean to Arithmetic Masking
Improved High-Order Conversion From Boolean to Arithmetic Masking Luk Bettale 1, Jean-Sébastien Coron 2, and Rina Zeitoun 1 1 IDEMIA, France luk.bettale@idemia.com, rina.zeitoun@idemia.com 2 University
More informationOn the strength comparison of ECC and RSA
SHARCS 2012 (Special-Purpose Hardware for Attacking Cryptographic Systems) Date: 17-18 March 2012 Place: Washington, DC, USA On the strength comparison of ECC and RSA Masaya Yasuda, Takeshi Shimoyama,
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer 1 Lecture 13 October 16, 2017 (notes revised 10/23/17) 1 Derived from lecture notes by Ewa Syta. CPSC 467, Lecture 13 1/57 Elliptic Curves
More informationSliding right into disaster - Left-to-right sliding windows leak
Sliding right into disaster - Left-to-right sliding windows leak Daniel J. Bernstein, Joachim Breitner, Daniel Genkin, Leon Groot Bruinderink, Nadia Heninger, Tanja Lange, Christine van Vredendaal and
More informationArithmétique et Cryptographie Asymétrique
Arithmétique et Cryptographie Asymétrique Laurent Imbert CNRS, LIRMM, Université Montpellier 2 Journée d inauguration groupe Sécurité 23 mars 2010 This talk is about public-key cryptography Why did mathematicians
More informationElliptic Curve Discrete Logarithm Problem
Elliptic Curve Discrete Logarithm Problem Vanessa VITSE Université de Versailles Saint-Quentin, Laboratoire PRISM October 19, 2009 Vanessa VITSE (UVSQ) Elliptic Curve Discrete Logarithm Problem October
More informationOn the complexity of computing discrete logarithms in the field F
On the complexity of computing discrete logarithms in the field F 3 6 509 Francisco Rodríguez-Henríquez CINVESTAV-IPN Joint work with: Gora Adj Alfred Menezes Thomaz Oliveira CINVESTAV-IPN University of
More informationDigital Signatures. Adam O Neill based on
Digital Signatures Adam O Neill based on http://cseweb.ucsd.edu/~mihir/cse207/ Signing by hand COSMO ALICE ALICE Pay Bob $100 Cosmo Alice Alice Bank =? no Don t yes pay Bob Signing electronically SIGFILE
More informationFast Evaluation of Polynomials over Binary Finite Fields. and Application to Side-channel Countermeasures
Fast Evaluation of Polynomials over Binary Finite Fields and Application to Side-channel Countermeasures Jean-Sébastien Coron 1, Arnab Roy 1,2, Srinivas Vivek 1 1 University of Luxembourg 2 DTU, Denmark
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 10 February 19, 2013 CPSC 467b, Lecture 10 1/45 Primality Tests Strong primality tests Weak tests of compositeness Reformulation
More informationSecret Key Leakage from Public Key Perturbation of DLP-based Cryptosystems
Secret Key Leakage from Public Key Perturbation of DLP-based Cryptosystems Alexandre Berzati 1,2, Cécile Canovas-Dumas 1, Louis Goubin 2 1 CEA-LETI/MINATEC, 17 rue des Martyrs, 38054 Grenoble Cedex 9,
More informationEfficient Modular Exponentiation Based on Multiple Multiplications by a Common Operand
Efficient Modular Exponentiation Based on Multiple Multiplications by a Common Operand Christophe Negre, Thomas Plantard, Jean-Marc Robert Team DALI (UPVD) and LIRMM (UM2, CNRS), France CCISR, SCIT, (University
More informationThe quantum threat to cryptography
The quantum threat to cryptography Ashley Montanaro School of Mathematics, University of Bristol 20 October 2016 Quantum computers University of Bristol IBM UCSB / Google University of Oxford Experimental
More information